The Relationship Between Facebook and Privacy: It’s Really Complicated

The tension between Facebook and its users — and governments, and advocacy groups — over privacy is one of the biggest thorns in the company’s side right now, as it tries to balance the demands of the network (and of advertisers) with the desires of users, and with the law. And all of this is taking place in an environment where the very meaning of what is “private” and what is “public” is being redefined, by Facebook and other online giants such as Google (s goog), and even users themselves sometimes can’t decide what information they want to share with the world and what they don’t.

Advertisement

Over the past few weeks, the social network has been caught at the center of a privacy maelstrom, with consumer groups attacking it — 15 of them filed a formal letter of complaint with the Federal Trade Commission late yesterday — senators sending threatening letters, and growing numbers of users canceling or deactivating their accounts over privacy concerns. The company has been struggling to respond to security holes that expose private data such as chats, and a survey released yesterday by Consumer Reports says that more than 50 percent of people engage in what it calls “risky behavior” on the social network. Another survey of Facebook users finds that their use of the network is inherently shallow and largely unfulfilling.

Even as he is being hailed as a billionaire genius akin to Microsoft (s msft) founder Bill Gates, the empire Mark Zuckerberg has built seems to be taking fire from critics on all sides. But is all of this criticism fair? Probably not. It’s true that Facebook’s launch of recent changes involving “instant personalization” and the creation of community pages related to users’ profile interests has been badly handled. And it doesn’t help that many people are confused by how to adjust their privacy settings, how to control what information is displayed, and how to disable applications (we put together a comprehensive guide to the new changes and how to disable them if you want to).

But it’s also true that Facebook exists, and has accumulated almost half a billion users worldwide, because it makes it easy for people to connect with their friends and family and to share things with them: photos, thoughts, social games, goofy gifts and yes, even birth dates. Plenty of people clearly want to do this, even after they have been repeatedly warned about the risks, because they believe the trade-off is worth it. And perhaps Facebook doesn’t make it as clear as it could what is involved, or how to fine-tune its privacy controls — but at the same time, some of the onus for doing these things has to fall to users.

The complaint filed by the 15 consumer advocacy groups states that:

Facebook now discloses personal information to the public that Facebook users previously restricted. Facebook now discloses personal information to third parties that Facebook users previously did not make available. These changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations. These business practices are Unfair and Deceptive Trade Practices.

The complaint specifically mentions the “instant personalization” feature that allows Microsoft’s Doc.com, Yelp, and Pandora to personalize their services when a user is logged in to Facebook, and also refers to the fact that Facebook connects profile details such as hometown, movie and music preferences, etc. to public “community pages.”

Those criticisms are all well and good, and the “instant personalization” feature probably wouldn’t have drawn as much fire if it wasn’t turned on by default, but Facebook does allow people to turn it off, and it tells them that their interests will be connected to community pages and become public, and allows them to opt out. It’s not clear from the complaint what the 15 privacy groups would rather the social network do, except not share any of that information at all. But here’s the rub: personalization is a useful feature, and community pages might be as well (it’s still too early to tell).

The Consumer Reports survey, meanwhile, says 52 percent of people post risky information on Facebook. It looked at 2,000 online households in January and found that 9 percent of social network users had been the victim of some form of online abuse in the past year such as malware infections, scams, identity theft or harassment. The report warned about a number of different “risky” activities such as posting your address, when you are home, and so on. But it also mentioned posting photos of family members as a risky behavior (stalking), along with your birth date (potential for identity theft), and other fairly commonplace activities. Isn’t posting photos and names and birthdays part of what Facebook is about? It wouldn’t be much of a social network without them.

Another survey, done by a Dutch company, interviewed readers of Fast Company about Facebook, including asking questions designed to determine whether they were really getting what they wanted out of the social network. The study determined that many users were not really engaging in deep social relationships and therefore weren’t getting a lot out of being on the network. “Online social networks make it easy for people to accumulate friends rapidly and to make commitments easily,” the study said, concluding that “what define social networks most [is] a lack of depth in relationships.”

But even this supposes a false dichotomy, between the connections we make through a social network and “real” relationships, where we phone each other and talk about our personal problems or the death of a loved one. The idea behind social networks, as described by sociologists, is that they help to create an “ambient awareness” of significant people in our lives — friends, family, acquaintances, co-workers — and allow us to stay in touch with them in some small way, not that they replace or mimic real-world relationships. If anything, they should help strengthen them.

And privacy? That’s complicated in the real world, too — Facebook didn’t invent that, or even pioneer it online. People have been breaching each other’s privacy for decades. Just because Facebook is making some mistakes doesn’t mean it should become the lightning rod for all of our pent-up dissatisfaction with normal human behavior.

Isnâ€™t posting photos and names and birthdays part of what Facebook is about? It wouldnâ€™t be much of a social network without them.

I think that this is a slightly deceptive framing. I think the point here is that of course we want to share things. We want to share photos and birthdays and who we are friends with and what we like – but we don’t want to share that information with everyone on the planet. This was the main reason I had for joining, the reason I thought facebook was such a fantastic idea in the first place. Before fb, there were other sites where we could build a profile, but they were basically web pages; everyone could see them. If we wanted to communicate privately we could email, but email has its limits. Facebook was a middle ground. I could upload my pictures of the party my friends and I had, and know that only my friends would see them. My friends might find my drunken shenanigans amusing; my mother might not.

It is not unreasonable to have a social network wherein one can choose not to reveal one’s information with all and sundry, yet still share it with the people one chooses. This is, in fact, a much more realistic mirror of real life.

Think about it in these terms: when you talk to your friends in a cafe, do you shout so that everyone can hear you? Probably not. Does it not strike people as odd that they are being forced to either scream at the top of their lungs so the whole world can hear them, or to keep silent? How is that a choice at all?

I’ve been struggling with leaving facebook or not since december 2009 when they changed the policy regarding who could ADD me as friend.

Before there were 3 options: everyone, friends of friends, no one … and I felt comfortable choosing the last one. Now there are just two … FB guesses that friends of friends should be mine & they think it too

“Isnâ€™t posting photos and names and birthdays part of what Facebook is about? It wouldnâ€™t be much of a social network without them.” That is the point! It was about sharing this information with people you already knew and wanted to share it with. With the public default and very tricky ways to protect your information (were ways are available), what might not have been risky (e.g., shared with friends and family) may become risky information. This article is a little too shallow on these issues.

Facebook is going to continue pushing the boundaries because in the end they want to make a profit (they honestly only want to pretend to protect privacy insofar as it helps their bottom line). The answer is simply that we need laws passed which restrict the allowed actions of Facebook. It’s our information and Facebook shouldn’t get a blank check to do whatever it wants with it. We need to codify stricter restrictions.

I’m considering getting rid of it as well. Not sure how it would effect the ‘business world’ as everyone likes to see a business owner on Facebook. I’ll wait a bit longer to see how this all plays out.

Tell me how is facebook different from the good old homepages in yahoo or for that matter in geocities? If those communities were allowed to be hyped like face book is they would also be having all the bells and whistles.

Facebook is another example of overbuying – where otherwise sane and serious adults in silicon valley get carried over by some college and highschool hype and clever marketing by a white teenager with semi caucasian looks. It makes me feel like throwing up.

With Yahoo or Geocities homepages you could control exactly what went on it, as you created with the use of their WYSIWYG tool for HTML coding. You didn’t necessarily put your complete personal history on those pages, but used them as a blank canvas. I myself had a couple of history projects on Geocities, and next to nothing about me, personally.

With Facebook, they’re increasingly moving towards a default of “share everything to everyone” when people want to decide what to share and with whom. Not to complete strangers, weirdos, stalkers, government agencies and your Boss.

Did you know it’s against FaceBook T&Cs to NOT update your personal profile with completely accurate information? Just how broad a scope is this information they “need” you to supply?

Privacy may be a complicated issue, but Facebook’s approach is not. They clearly have no regard for privacy, as is becoming evident by their behaviors and the words of their employees, including Mark Zuckerberg.

Facebook has violated the trust it has built up by:

Retroactively changing defaults from private to public.
It’s one thing to change the settings for all new accounts, but the opt-out approach to privacy on information that was previously opt-in is unethical and wrong.

Removing privacy controls altogether.
Community pages may have some use. But removing the ability to set the privacy of your profile information and forcing users to either make this information public or delete it altogether, is not a complicated privacy issue. It’s a clear disregard for privacy. If they valued privacy, they would have given users an option.

Designing confusing or difficult user interfaces whenever privacy is concerned.
We know Facebook can make usable user interfaces. So when features related to privacy are designed to confuse or discourage users, it is clearly intentional. Besides the steps needed to delete an account or disable sharing of information, the recent conversion to community pages forced users to unselect each interest separately instead of having an Unselect All button. I have an extremely difficult time believing that a team of developers as talented as the Facebook team left this common user interface idiom out unintentionally.

Designing an ethical privacy approach is not difficult and can be built on three principles:

Opt-In: Making information public should be opt-in, not opt-out.

Control: Users should be able to set the privacy level of their content, not have it dictated to them.

Usability: Privacy controls should be based on developed with a goal of usability, not profitability.

Through it’s actions and statements, Facebook clearly does not believe in these principles.

“But hereâ€™s the rub: personalization is a useful feature, and community pages might be as well (itâ€™s still too early to tell).”

It’s not too early. It’s a patent violation of privacy to be forced to display what you like to total strangers. The only way to opt out of community pages is to delete all of your activities, interests, and favorites, leaving you with a blank profile. Even then, any pages that you have liked that don’t qualify for “community status,” still show up on your public profile, even if you set these items as “only friends” or even “only me.”

“Just because Facebook is making some mistakes doesnâ€™t mean it should become the lightning rod for all of our pent-up dissatisfaction with normal human behavior.”

The problem is Zuckerberg has redefined his business based upon his beliefs about what is normal human behavior. And he’s a hypocrite. Go take a look at his facebook page “Mark only shares some of his profile information with everyone.” ORLY? If your “basic settings” are so great, then why isn’t your profile set up to reflect them Mark?

Speaking of settings, the privacy settings do nothing more than reflect how badly-trained Zuckerberg is. He has used nonsensical band-aid after band-aid to fix “mistakes” instead of using actual programming skills to streamline facebook into a user-friendly, transparent platform. Seriously, the computer science department at Harvard should be ashamed of what they helped create.

“Complicated” is not the word I’d use…..”bloody simple” more like. The financial value of any user in a freeconomic service is the net present value of their future spend, and the more Facebook can expose of it to merchants and advertisers and Joe Public etc, the more of their valuation they can justify.

Why is it that each time Facebook comes out with new features which deals with privacy they seem to do a very poor job on the PR end of it in terms of not only explaining in detail how it works but they fail to sell it as a benefit to their users.
They had similar problems with Beacon. They need to do a better job on this.

Mathew, you end your piece by saying that we have been invading each other’s privacy for decades, which may be true, but you must admit that FB takes our personal information and shoves it into the public sphere like no other organization in history. MZ honestly believes that privacy does not exist any more and is willing to build powerful tools that make that believe a self-fulfilling prophecy.

I’m not sure whether Zuckerberg believes that privacy doesn’t exist any more — much of that talk is based on a single offhand comment from an anonymous FB employee. I think he and Facebook are trying to find a happy medium between the comfort of users and the needs of their business, and they clearly haven’t found it yet.

There was a breach in Facebook few days back…i think it had a crash or something and all personal files locked were open to friends in the groups…later those people diagnosed the problem and said it will be closed for a few hours….was very shocked to hear this!!!!!!

Not to get all Confucian on your blog – but it does seem to me that the essence of a social networking site is trust. And Facebook seems to be on the verge of losing that trust by putting very sensitive privacy policies in place — on an opt-out basis.

Facebook has always been an innovative site. Innovation is important â€“ but it has to happen responsibly. Privacy policies could very well end up being the subprime mortgages of the advertising industry. With the new data sharing policies, we are once incident away from an unfortunate end user and an angry government getting involved in a big mess.

Thanks for the posts and for your point of view. Enjoy the weekend.
Arun Krishnan
blog.pontiflex.com

Thanks for the comment, Arun. You and others are right that trust is the central issue — and with government already circling around the privacy problem, it could definitely turn into a big mess for all concerned.

Trust is the central issue BUT all other forms of trust across the web have been destroyed by hackers/crackers/assorted criminals/et al…
FB will not get back the trust, they are leaving mistrust in their wake.
They will have to completely change how they “monetize” the product if they want to maintain their user growth.

As MacSmiley notes, there is no true opt-out for the community pages. Facebook will delete the info on your profile if you choose to “opt out.” This is tantamount to extortion, which, I have a theory, is exactly where they’re going: they’ll offer a pay option to keep your info truly private.

I agree w/ MacSmiley. I can’t give FB a break on this. The general issue of privacy may be complicated, but here’s something that isn’t: People hate default opt-ins. FB surely knows this (especially considering its prior experience with Beacon), but went ahead and did it anyway with Instant Personalization and didn’t tell you how to opt out. We all know that it’s more profitable for FB if its users share more personal info. It’s also secure in the knowledge that barring some catastrophic breach of privacy, its users aren’t likely to defect en masse. So in the absence of a financial motive for the company to really protect its users’ private info, you have to rely on the company’s ethical standards to protecting privacy. That’s why FB’s “ask for forgiveness rather than permission” approach is a cause for concern. The eff.org link someone provided below is an excellent analysis of how FB’s attitude on privacy has changed over its existence.

ya, it’s complicated, Facebook does understand this. At f8, all announcements about this were heavily couched in terms to make this as appealing as possible to developers, without sounding scary to the general public.

Actually, Om, it’s really not complicated at all. The first few times Facebook started making more stuff public, there was a lot of noise from the blogosphere, but ordinary people weren’t frightened and even the rabid naysayers were still maintaining a presence on Facebook.

This time it’s different. The US Senate is involved. Attorneys are involved. Defects have caused privacy breaches beyond even what was intended by Facebook. And executives of Facebook are saying, “Are we perfect? No.” The question they aren’t asking is “Are we competent?” And sadly, I think the answer to that one is “Hell, No!”

Do I think Facebook will survive? Probably. But they are going to need a serious competence transplant, and fast! It’s really not complicated at all – they’re simply a bunch of incompetent managers who’ve stumbled onto something that’s taken the world by storm and can’t manage it.

And yes, I still have a Facebook account. But I don’t think I will for long – it’s not giving me any value.

Interesting article. In fact Electronic Frontier Foundation came out with time line on the changes over privacy controls over time in FB. Here the link, you might want to check it out Facebook’s Eroding Privacy Policy: A Timeline http://eff.org/n/10206

FB accumulated 400 million users on the premise that “what happened on the Facebook stayed on the Facebook”. Now Facebook is changing tack and is FORCING users to publicize sensitive personal information that can be easily abused. Choices are being obliterated.

There’s no choice where Pages are concerned. Either you link your profile to public Pages, or you have a blank profile. Only a double bind would be worse.

RE: Instant Personalization. There is no doubt in my mind that Facebook has deliberately made it hard to opt-out. One SINGLE click should do the trick. But it takes clicking 5 different settings to plug the holes (for now, based on only 3 partners), and even that’s not a done deal??

And if you want out altogether? Ha! Deactivation versus deletion. That’s a joke. If you don’t already know the URL for the REAL delete your account page, it takes what? 8 clicks to get there?? It’s an obstacle course, and Zuckerberg’s no dumb bunny. He knows full well that people give up half-way through the process.

Zuckerberg does not deserve the benefit of the doubt you so generously give him.

Facebook makes a huge deal of how many locks they allow you to have on the front door, and all the while it’s shipping your belongings out the windows and the back door.

I think the overall theme here from privacy advocates etc is “You changed the rules by default – that’s not very nice” and the response by facebook is essentially “but you can turn it off”.

The issue here then is not only one of privacy but one of trust. Substantial changes to the direction a platform is going in are understandably of concern to some portion of the users who feel ill at ease perhaps not just for what facebook is doing now, but what it might do in the future.

Facebook does understand this. At f8, all announcements about this were heavily couched in terms to make this as appealing as possible to developers, without sounding scary to the general public.

But I think the response by Facebook is still insufficient. When you see how Google reacted (albeit belatedly) after the fracas over Buzz, It might seem more appropriate for Facebook to at least have offered an option across the network to explicitly turn it on or off – rather than engaging it by default.

On a more technical front, the recent private chat exploit seems not to engender much faith in their ability to keep things together in that respect either.

“Just because Facebook is making some mistakes doesnâ€™t mean it should become the lightning rod for all of our pent-up dissatisfaction with normal human behavior.”

No, it should be a lightning rod because it is one of the largest publicly accessible database or personal informtation in existence, and constantly makes changes to expose that data and then telling its users. Do you really not get that?